This is a bit of a brain dump so that I don’t forget this little tidbit in future.

Scenario

You have a shiny new Samba 4 active domain controller (or two) responsible for the domain ad.youroffice.example.com. You have a couple of DNS servers that are responsible for non-AD parts of the domain and the parent youroffice.example.com. To have everything go through one place, you’ve set up these servers with slave domains for ad.youroffice.example.com.

Joining your first Windows 7 client yields a message like this one. You’re able to resolve yourdc.ad.youroffice.example.com on the client but not the _msdcs subdomain.